Astro Server Islands Memory Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Astro's Server Islands feature, present in versions prior to 10.0.0. The issue arises because the POST handler for Server Islands routes buffers and parses the entire request body as JSON without any size limit. This lack of restriction allows an unauthenticated request to send a payload of numerous small JSON objects, leading to significant memory amplification and causing the server to crash. The vulnerability affects all Astro SSR applications using the Node standalone adapter, as the problematic route is registered by default, regardless of whether server:defer components are used.

Impact

Exploitation of this vulnerability causes the server process to run out of memory and crash, disrupting service for all users. In containerized environments with memory limits, this crash triggers a restart loop, further exacerbating the denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/_server-islands/[name]' route with a payload of approximately 3 million empty JSON objects. This payload, which is about 8.6 MB in size, is parsed by the server without any restrictions, leading to a memory allocation of over 180 MB. This excessive memory use causes the server to exceed its limits and crash, especially in environments with constrained resources.

Remediation

Users can upgrade to Astro version 10.0.0 or later to address this vulnerability.